Corey Elinburg, SVP/CISO at CommonSpirit Health – one of the largest in the country, with 150 hospitals and 1,000 clinics – has a pretty strict outlook on cyber hygiene. He wants security controls operating 100% of the time, not 99%. In this interview with healthsystemCIO Founder and Editor-in-Chief Anthony Guerra, Elinburg says at CommonSpirit, the culture is clear: follow the security rules for adding new apps, or face getting it shut down. But before you think about drawing that line in the sand at your organization, train your people on why it’s important, and let them know what to expect. Elinburg relies heavily on his direct reports and claims he couldn’t scale without them, and he loves passing on the secrets of the security trade to those below him. Elinburg’s message to fellow CISOs: healthcare needs your support. We have a great mission, he says, not only at CommonSpirit, but across the industry.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements

If you want to see a lot of CISOs wince, you get them in a room and you ask, “How many of you would raise your hand and guarantee me that you have in your inventory management system every asset that is touching your network?”

So I really believe, from a technology perspective, the enablement tools are there, I think what’s missing is the dedication to clean it up.

Your next job should stretch you. It should make you uncomfortable. And I’m not embarrassed to say moving into this role stretched me and still makes me uncomfortable. But what you need to really ask yourself is, do you have the capacity or the willingness to learn?

Guerra: Corey, thanks for joining me.

Elinburg: Anthony, thank you so much for the invite. It’s my pleasure.

Guerra: You got it. All right, let’s start out, you want to tell me a little bit about your organization and your role.

Elinburg: Sure, CommonSpirit is one of the largest nonprofit health systems in the U.S. We’ve got over 150 acute care facilities, so hospitals, and then well over 1,000 clinics throughout the United States. And one of my favorite parts about CommonSpirit is we’re a mission-oriented organization. So one of our primary purposes is to make sure that everyone in the U.S., regardless of their socio-economic background, has equality in healthcare, and in the quality of healthcare that they’re provided. And I’m proud to say that in many cases, much of our profit goes to actually providing healthcare for those that can’t provide it for themselves or can’t pay for it. So it’s a privilege to work and be able to serve and help secure the data of those patients that trust us.

Guerra: Very good, Corey. Thank you. I want to start with an open-ended question and just find out what’s on your mind? What are some of the trends that that you’re watching, technologies you’re looking at, threats you’re looking at?

Elinburg: Well, there certainly are the ones that everyone else would talk about Anthony, clearly ransomware. And if you read the news, you know that that is impacting healthcare across the country in a very serious manner, particularly providers like us that are providing direct care to patients.

But it’s not only things like that, it’s the preventative side of the house and what we can do in healthcare where we have more of a fixed budget, from a cybersecurity perspective, and how you make the most of that.